What is the expected behavior?
The domain venom-assets.edmunds-media.com is part of the TLS certificate for http://www.edmunds.com and any calls to it should be trusted after the initial handshake. i.e should happen only once at the beginning.

Welcome to "credentialed connection" hell. Fonts are considered non-credentialed and are requested on an "anonymous" connection. From Chrome and Firefox's perspective that means using a completely separate connection where cookies are never sent.

(06-07-2018 07:14 AM)pmeenan Wrote: Welcome to "credentialed connection" hell. Fonts are considered non-credentialed and are requested on an "anonymous" connection. From Chrome and Firefox's perspective that means using a completely separate connection where cookies are never sent.

The OCSP requests are cert revocation checks because of EV certificates. The only way to eliminate both of them is to use DV certs instead of EV certs. You can get rid of one of them by enabling OCSP stapling on the server.

Contrast this to a random WordPress site running straight Apache with a highly optimized HTTP2 TLS stack + optimized assets...

Very different waterfall.

Just looks... a bit odd...

Hi dfavor
#3 is actually our main content download.
Also we are set up for HTTP/2. You can confirm this by entering the site at https://tools.keycdn.com/http2-test
Getting off NGINX is not a decision we can take lightly. Do you have some more info/references on why Apache+http/2 is better than nginx+http/2?